Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

attempting security enhancements on a new site


petevannuys

Recommended Posts

Any advice will be appreciated...

 

1.) have I done these things correctly?

 

I have newly installed the osC2.2 RC2. w/ no items uploaded.

I have

* removed admin/filemanager.php

* removed admin/define language.php

* renamed admin to "Bob"

* passworded Bob using the Password Protect in cPanel, and have .htaccess file therein

* changed the following lines in

Bob/includes/configure.php, thusly:

define('DIR_WS_ADMIN', '/Bob/');

define('DIR_FS_ADMIN', '/your/path/to/directory/Bob/');

 

Now I can't login to ..../catalog/Bob.

I get a .../catalog/admin/login.php?osCAdminID=8v0kt3siu0r55dearvrd900m86

which I infer means I'm close but not really there.

 

If I keep entering I just get at 404.

 

I made all these changes in cPanel's File Manager.

 

2.) will these changes prevent the current nasty hacks going around?

 

Thanks for your time and insight.

Link to comment
Share on other sites

 

define('DIR_WS_ADMIN', '/Bob/');

 

 

If this line exists:

define('DIR_WS_CATALOG', '/catalog/');

 

then this line should be:

define('DIR_WS_ADMIN', '/catalog/Bob/');

 

 

But you may have installed in /root/ and not in /catalog/ in which case I would say try a reload or clear cookies.

 

The question I have is, do you get the directory security log in and do you pass that only to get the 404 or do you get the 404 without ever reaching the directory security?

 

 

Edit: Looking back I see you did install into a /catalog/ directory. Use the define above with the /catalog/Bob in it, and remember that *nix is case sensitive. Bob is not the same as bob.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

Any advice will be appreciated...

 

1.) have I done these things correctly?

 

I have newly installed the osC2.2 RC2. w/ no items uploaded.

I have

* removed admin/filemanager.php

* removed admin/define language.php

* renamed admin to "Bob"

* passworded Bob using the Password Protect in cPanel, and have .htaccess file therein

* changed the following lines in

Bob/includes/configure.php, thusly:

define('DIR_WS_ADMIN', '/Bob/');

define('DIR_FS_ADMIN', '/your/path/to/directory/Bob/');

 

Now I can't login to ..../catalog/Bob.

I get a .../catalog/admin/login.php?osCAdminID=8v0kt3siu0r55dearvrd900m86

which I infer means I'm close but not really there.

 

If I keep entering I just get at 404.

 

I made all these changes in cPanel's File Manager.

 

2.) will these changes prevent the current nasty hacks going around?

 

Thanks for your time and insight.

 

is DIR_FS_ADMIN set to the full server path to your admin directory?

 

I hope "Bob" is just figurative ;) You don't really want to be openly disclosing your admin dirs name anywhere.

Link to comment
Share on other sites

2.) will these changes prevent the current nasty hacks going around?

 

Some of them, There are other security "enhancements" such as anti Xss, .htaccess in images directory, Sams Anti Hacker Account Mods, PHP IDS to name but a few - I suggest reading and digesting the pinned security thread.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

1.) reason for not being able to log in (file under "Doh!"):

includes/config.php Permissions was set to 444, i.e. read only. So changes weren't being saved.

Support at BlueHost said change it to 644, make my edit, and quick change it back.

I did and it worked. And I learned something in the process (Yaaaaa!)

 

2.) Yes, "Bob" is just a pseudonym, thanks for asking.

 

3.) @ Mort-lemure: ...I suggest reading and digesting the pinned security thread.

I see several threads, actually. Since my empty site has only been up two days now, I'm hoping it's not infected. So I'm ignoring advice about searching for and deleting hinky code. Besides, I wouldn't recognize hinky code if I saw it.

I guess it's like locking a bicycle. You can't keep someone from stealing it; you just want to make it hard enough that the thief steals someone else's.

Link to comment
Share on other sites

I guess it's like locking a bicycle. You can't keep someone from stealing it; you just want to make it hard enough that the thief steals someone else's.

It's more like.... if you are going to paint your bicycle and let it dry for two or three days then do it locked up in the garage and not out on the street.

 

 

(Translation: Put a directory security password on your site while you are working on it. Only open it up to the public when you have most or all the security mods completed.)

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...